Azure Integration

Veeam Compute Account

A compute account is required if you wish to restore backups to Azure as well as to deploy and manage Veeam Cloud Machines.

You can either create the Azure App Registration manually or have VBR create it for you.

NOTE: VBR will use a secret for the Azure AD Application by default. If you wish to use a certificate you will need to create the Azure AD Application manually.

Automatic Creation

In VBR the term “Account” is used, which has a dual meaning:

The User Account that is used to connect and create the Azure AD Application
The Azure AD Application being created

The Help Center documentation states:

If you use a new Azure Active Directory (AD) application (select the Create a new account option at the Subscription step of the wizard) when adding a Microsoft Azure Compute account, the Microsoft Azure AD user account where the AD application will be created must have the following privileges:

To register applications. This can be the Global Administrator privileges assigned to the user or the Users can register applications option enabled for the user in Azure portal.

To assign a role on the subscription level for the registered application. This can be the Owner role or if the Owner role cannot be used, you can create a custom role with minimal permissions.

This means that you must have either:

“Users can register applications” setting enabled OR
The Azure AD Global Administrator role assigned to user account

Plus:

The Azure RBAC Owner role or a custom role with minimal permissions assigned

NOTE: if you use the “Users can register applications” setting enabled or the account has Global Admin, but the account does not have either the owner role or the custom role, the application will be created but the role assignment will fail.

This will result in the account not being able to be used for any Veeam operations.

You will also see an error pop up in the VBR console:

VBR Error

You will need to remove the account, add the Owner role or custom role, and then re-add the account.

To enable “Users can register applications” you can find this setting under:

Azure Active Directory > User Settings > Users can register application toggle.

Custom Role Creation and Assignment

As the documentation states you can also create a custom role with minimal permissions if you do not wish to use the Owner role. However, this still assigned the Azure AD Application the Contributor role and Key Vault Crypto User role. If that is not acceptable you will need to create an Azure AD Application manually (see below).

The specific permissions for the custom role are:

'Microsoft.Authorization/roleAssignments/read'
'Microsoft.Authorization/roleAssignments/write'

As you can see these are specific to the assignment Azure RBAC roles.

Permissions for Azure Compute Account (New Application)

NOTE: link above includes a PowerShell script to create the custom role.

To create the custom role you can use the Azure Portal, use PowerShell or Bicep. You will find an example of PowerShell in the link above, and Bicep in a section below.

To assign the Owner Role or Assign the custom role to the User you can use the Azure Portal, see the follow this guide:

Azure RBAC Role Assignment

You can also use Powershell to assign the role:

New-AzRoleAssignment -SignInName you@yourdomain.com `
  -RoleDefinitionName "Veeam Register Azure Compute Account using new Azure AD application" `
  -Scope $subScope

Using an Existing Azure AD Application

The Help Center Documentation states:

If you use an existing Azure AD application (select the Use the existing account option at the Subscription step of the wizard) when adding a Microsoft Azure Compute account, the application must have the Contributor role and Key Vault Crypto User role privileges for the selected subscription. If you restore workloads to Microsoft Azure and cannot use the Contributor role, you can create a custom role with minimal permissions.

Unlike the New Application flow above you are not assigning the permissions to the user account, but directly to the Azure AD Application.

In this case you need to:

Create the Azure AD Application
Options:
- Assign the Azure RBAC Contributor role Key Vault Crypto User role to the Azure AD Application
- Create a custom role with minimal permissions and assign it to the AD Application along with the Key Vault Crypto User role

NOTE: it is recommended to use a Certificate instead of a secret for the Azure AD Application due to the higher security of certificates.

The custom role requires all the permissions as stated in the PowerShell script here:

Permissions for Azure Compute Account (Existing Application)

You can can create the role using the PowerShell example in the link above or via the Bicep example below.

To assign the roles to the AD Application you can use the Azure Portal, see the following guide:

Azure RBAC Role Assignment

But instead of searching for the User account you search for the Service Principal of the Azure AD Application.

You can also do the assignment via PowerShell:

$spId = (Get-AzADServicePrincipal -DisplayName "Your App Registration Name").Id
$subscription = Get-AzSubscription -SubscriptionName "Your Subscription Name"
$subScope = "/subscriptions/$($subscription.Id)"

New-AzRoleAssignment -ObjectId $spId `
  -RoleDefinitionName "Veeam Restore Operator" `
  -Scope $subScope

New-AzRoleAssignment -ObjectId $spId `
  -RoleDefinitionName "Key Vault Crypto User" `
  -Scope $subScope

Veeam Storage Account

Azure storage accounts are required for both the Archive Tier and the Restore to Azure functionality.

Unlike compute accounts veeam storage accounts are linked to the specific Azure Storage Account via the access key and secret key. Note that Shared Access Signatures are not supported.

However, as Archive Tier requires additional permissions to be granted outside of accessing the storage, an Azure AD application is required.

Though not stated in the documentation, you can use the same process as the Veeam Compute Account above for a new Azure AD Application.

However, if you wish to create a custom role for this you can use the following permissions:

Archive Storage Account Permissions

Again, following the same process above for an existing Azure AD Application above.

Deployment/ Integration of Veeam Backup for Azure

The user permissions required for this are the same as the Veeam Compute Account, see above.

Cloud Machines

Cloud machines backups allow for the backup of Azure VMs to Azure Blob Storage without the need for a network or proxy.

If you wish to create a new account can either use the same process as the Veeam Compute Account above.

Alteratively you can create a custom role for an existing Azure AD Application which is similar to the Use Existing Azure AD Application process, but with the following Azure AD Application permissions:

Cloud Machines Permissions

Custom Role Creation via Bicep

Below is a Bicep example of creating the custom role required for Veeam Backup for Azure.

ARM can be used but tends to be more verbose.

Using Bicep allows for the role to be created programmatically allowing for repeatable deployments and tracking of changes via tools such as Git.

Bicep example, VBR New Application:

targetScope = 'subscription'

@description('VBR Actions')
param actions array = [
  'Microsoft.Authorization/roleAssignments/read'
  'Microsoft.Authorization/roleAssignments/write'
]

@description('VBR not Actions')
param notActions array = []

@description('VBR Data Actions')
param dataActions array = []

@description('Veeam Register Azure Compute Account using new Azure AD application')
param roleName string = 'VBR Azure User Role'

@description('Permissions needed to add an Azure Compute Account based on new Azure AD application')
param roleDescription string = 'VBR Azure User Role'

var roleDefName = guid(subscription().id, string(actions), string(notActions))

resource roleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
  name: roleDefName
  properties: {
    roleName: roleName
    description: roleDescription
    type: 'customRole'
    permissions: [
      {
        actions: actions
        notActions: notActions
        dataActions: dataActions
      }
    ]

    assignableScopes: [
      subscription().id
    ]
  }
}

Deploying Veeam Backup for Azure via Veeam Backup and Replication

The deployment of Veeam Backup for Azure can be done via the Azure Marketplace, or via the Azure Portal.

However, this is a multi-step process including the creation of both the Veeam Backup for Azure instance and the manual assignment of blob storage to the Veeam Backup for Azure appliance.

If you choose to deploy Veeam Backup for Azure via Veeam Backup and Replication the wizard will guide you through the whole process. Including the assignment of the blob storage as well as several configuration steps required if deployed via the marketplace.

Pros:

Simple to use deployment wizard including automatic repository assignment
Single pane of glass for VBR and VBAzure management
VBR can be used to manage multiple VBAzure instances
Allows for choice of using Cloud Machines if an application is not supported
Allows for centralized configuration backup and restore
Allows for centralized license management
Allows for centralized monitoring and alerting
Allows for copies of supported Azure backups to on-premises VBR repositories
Allows for restore of VBAzure backups to on-premises VBR
Allows for restore of Azure backups to AWS and GCP

Cons:

Requires VBR to be deployed

Note that VBR can be deployed within Azure if needed which can be beneficial if you have multiple VBAzure instances to manage.

Using a VPN or ExpressRoute

It is possible to use a VPN or ExpressRoute for both restore to Azure, Cloud Machines, and Capacity/Archive Tier. However, it is not recommended as it increases the costs and complexity of the solution, and arguably does not significantly increase the security of the solution.

However if it is required, please see the following KB articles:

Restore to Azure

Offloading to Azure Blob